FLARE On Challenge (2015) #8

When you open this challenge directly in IDA, you may as disappointed as me, there is only a few code available at the Entry Point and they seems do nothing useful:
ch8_disass1

However, if you open this file in a text editor, you may find the secret: there are a lot of Base64-like strings inside this file:
ch8_text

After decodes those strings, you can have a PNG file looks like below:
ch8_png

The first time I saw this picture, I believe that some information must be hidden into it. After Googling, I found a wonderful tool named Stegsolve which can help with analyzing the hidden information in a picture.

If you are not familiar with Steganography, I recommend you to read the following Wiki page:
https://en.wikipedia.org/wiki/Steganography

One famous approach to hide information into a picture is to store each bit of the information into the least significant bit (LSB) of the 8-bit color value of each pixel (24-bit bitmap). So let’s use the Stegsolve to extract this information, and the extracted data looks like below:
ch8_extract

At the first glance, there seems no useful inforamtion. However, if you are very familiar with the Windows Portable Executable file format, you may find some similarities if you compare the extracted binary data with a PE file:
ch8_cmp

Now we can guess that the information hidden in this picture is actually an encrypted PE file and let’s see if we can decrypted it. From the comparison above, we can at least know two things:
1. The file seems encrypted by a byte-by-byte encryption algorithm.
2. Some special bytes like 0x00 and 0xFF seems keep the same after encryption.

Next, let’s assume the first two bytes are the magic string “MZ” and the name of the first section is “.text” so that we can compare those bytes to see how they get encrypted:
ch8_cmpbytes

What’s your finding here? Yes, the ciphertext only reverse the bit order of the plaintext! Now we can write a Python script to decrypt the file:

def bit_reverse(byte):
    out = 0
    for i in range(0, 8):
        out += (byte & 0x01)
        out = (out << 1)
        byte = (byte >> 1)
    out = (out >> 1)
    return out

data = ''
for ch in open('gdssagh.bin', 'rb').read():
    data += chr(bit_reverse(ord(ch)))

open('gdssagh.out.exe', 'wb').write(data)
print 'Result written to file gdssagh.out.exe.'

And run the decrypted file we can get the email address:
ch8_ans

This entry was posted in CTF and tagged , , , . Bookmark the permalink.